pwn学习笔记(12)–Chunk Extend and Overlapping

​ chunk extend 是堆漏洞的一种常见利用手法,通过 extend 可以实现 chunk overlapping(块重叠) 的效果。这种利用方法需要以下的时机和条件:

  • 程序中存在基于堆的漏洞
  • 漏洞可以控制 chunk header 中的数据

1、对inuse的fastbin进行extend:

1
2
3
4
5
6
7
8
9
10
11
12
13
 int main(void)
{
    void *ptr,*ptr1;

    ptr=malloc(0x10);//分配第一个0x10的chunk
    malloc(0x10);//分配第二个0x10的chunk

    *(long long *)((long long)ptr-0x8)=0x41;// 修改第一个块的size域

    free(ptr);
    ptr1=malloc(0x30);// 实现 extend,控制了第二个块的内容
    return 0;
}

​ 首先进行两次malloc,之后看看heap的状态:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
In file: /mnt/hgfs/sharedict/ChunkExtend/extend.c
    3     void *ptr,*ptr1;
    4 
    5     ptr=malloc(0x10);//分配第一个0x10的chunk
    6     malloc(0x10);//分配第二个0x10的chunk
    7 
 ►  8     *(long long *)((long long)ptr-0x8)=0x41;// 修改第一个块的size域
    9 
   10     free(ptr);
   11     ptr1=malloc(0x30);// 实现 extend,控制了第二个块的内容
   12     return 0;
   13 }
─────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffde30 —▸ 0x555555758010 ◂— 0x0
01:0008│     0x7fffffffde38 ◂— 0x0
02:0010│ rbp 0x7fffffffde40 —▸ 0x5555555546e0 (__libc_csu_init) ◂— push   r15
03:0018│     0x7fffffffde48 —▸ 0x7ffff7a2d840 (__libc_start_main+240) ◂— mov    edi, eax
04:0020│     0x7fffffffde50 ◂— 0x1
05:0028│     0x7fffffffde58 —▸ 0x7fffffffdf28 —▸ 0x7fffffffe2ac ◂— '/mnt/hgfs/sharedict/ChunkExtend/test'
06:0030│     0x7fffffffde60 ◂— 0x1f7ffcca0
07:0038│     0x7fffffffde68 —▸ 0x55555555468a (main) ◂— push   rbp
───────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────
 ► f 0   0x5555555546aa main+32
   f 1   0x7ffff7a2d840 __libc_start_main+240
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758020
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty

​ 有地址的话,就去读一下两个堆的内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000021		<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021		<======Chunk2
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1		<======Top Chunk
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 下一步开始释放,看一看修改chunk1的size域大小:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x41

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty

​ 发现chunk2被修改后增大了的chunk1给那占了,heap里就只有一个Chunk了,看看内存:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000041			<======原Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021			<======原Chunk2
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1			<======Top Chunk
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 除去chunk1的size域变化了以外,似乎没有其他变化,但是,逻辑上来说,现在的堆里只有一个chunk了,之后free掉chunk1看看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
pwndbg> heap
Free chunk (fastbins) | PREV_INUSE
Addr: 0x555555758000
Size: 0x41
fd: 0x00

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x555555758000 ◂— 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty

​ 之后读取下内存:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000041
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 下一步是重头戏,试想,如果原chunk1的size域没有真正变化,那么我们进行malloc一个0x30大小的堆块的时候,就不会分配到这个地址上,而是从Top Chunk里拆分,那么事实上是怎么样的呢?实践出真知,看一下吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x41

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000041
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1			<======Top Chunk
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 显然,Top Chunk并未被拆分,这里确定了,似乎malloc(0x30)得到的堆块是原Chunk1的地址,这里说明了,这里的原chunk1因为size域被修改了之后成为了一个新的更大的堆块,这里也就造成了所谓的堆重叠了,chunk1因为修改了size域后,生成的那个新的chunk和chunk2部分重叠了,这也就导致了,有的对原chunk1的修改可以修改到chunk2的地方,如果chunk2保留了指针,那就可以对chunk2进行伪造,可以结合类似off by one和UAF形成很多种利用方式。

2、对inuse的smallbin进行extend:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
//gcc -g 2.c
//注意把之前那个a.out给删掉
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x80);//分配第一个 0x80 的chunk1
    malloc(0x10); //分配第二个 0x10 的chunk2
    malloc(0x10); //防止与top chunk合并

    *(long *)((long)ptr-0x8)=0xb1;
    free(ptr);
    ptr1=malloc(0xa0);
}

​ 首先进行三次分配,其中,第三次分配是防止extend后,chunk与topchunk进行合并,无需关注。先看看经过三次malloc之后的堆空间是啥样的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758090
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk3
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31			<======Top Chunk
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

​ 估摸一下,chunk1的大小似乎有点大,导致free掉的chunk1并不会进入fastbin,而是进入smallbin,那么修改了size域后,原本三个chunk在gdb里的heap指令下依旧少了一个:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk3
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31			<======Top Chunk
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

​ 下一步,free掉chunk1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x5555557580b0
Size: 0x20

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x00000000000000b0  0x0000000000000020			<======Chunk3
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31			<======Top Chunk
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

​ 这里发现了一个点需要注意,就是free掉size域修改了之后的那个chunk1之后,chunk3的size域的最低为,也就是p位,变成了0,这也就说明,chunk1没有放在fastbin里,上面也看到了,被放在了unsortedbin里。

​ 那么为啥会被放入unsortedbin内而不是smallbin呢?估计有一下几种可能:

  • 当一个较大的chunk被分割成两半后,如果剩下的部分大于MINSIZE,就会被放到unsortedbin中。
  • 释放一个不属于fastbin的chunk,并且该chunk不和top chunk紧邻时,该chunk就会被放到unsorted bin 中,当第二次分配的时候,没有在unsortedbin中找到合适的,才会被放入到其对应的bin中。

​ 之后进行分配,分配0xa0大小的堆块,就会发现,原chunk1的地址依旧拿去用了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x00000000000000b0  0x0000000000000021
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

3、对free的smallbin进行extend:

1
2
3
4
5
6
7
8
9
10
11
12
13
//gcc -g 3.c
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x80);//分配第一个0x80的chunk1
    malloc(0x10);//分配第二个0x10的chunk2

    free(ptr);//首先进行释放,使得chunk1进入unsorted bin

    *(long *)((long)ptr-0x8)=0xb1;
    ptr1=malloc(0xa0);
}

​ 首先是两次malloc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758090
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51			<======Top Chunk
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 之后直接free掉chunk1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x91
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758090
Size: 0x20

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51			<======Top Chunk
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 这里还是能看出来存在两个chunk的,当修改了size域大小后:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 原本的三个chunk变成了两个,并且chunk2还是allocated状态,重叠之后,chunk1是free状态,所以整个chunk依旧是free状态。之后malloc(0xa0)试试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

4、extend前向overlapping:

1
2
3
4
5
6
7
8
9
10
11
12
13
//gcc -g 4.c
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x10);//分配第1个 0x80 的chunk1
    malloc(0x10); //分配第2个 0x10 的chunk2
    malloc(0x10); //分配第3个 0x10 的chunk3
    malloc(0x10); //分配第4个 0x10 的chunk4    
    *(long *)((long)ptr-0x8)=0x61;
    free(ptr);
    ptr1=malloc(0x50);
}

​ 还是老样子,进行4次malloc,看下heap和bin以及chunk的内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758020
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000021			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021			<======Chunk3
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021			<======Chunk4
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81			<======Top Chunk
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 之后修改size域:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x61

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000061
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 之后free:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x61

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000061
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

​ 之后重新malloc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x61

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000061
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

5、通过extend前向overlapping:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
//gcc -g 5.c
int main(void)
{
    void *ptr1,*ptr2,*ptr3,*ptr4;
    ptr1=malloc(128);//smallbin1
    ptr2=malloc(0x10);//fastbin1
    ptr3=malloc(0x10);//fastbin2
    ptr4=malloc(128);//smallbin2
    malloc(0x10);//防止与top合并
    free(ptr1);
    *(int *)((long long)ptr4-0x8)=0x90;//修改pre_inuse域
    *(int *)((long long)ptr4-0x10)=0xd0;//修改pre_size域
    free(ptr4);//unlink进行前向extend
    malloc(0x150);//占位块
}

​ 经过五次malloc之后:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758090
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/54gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000091
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000
0x555555758140: 0x0000000000000000  0x0000000000000000
0x555555758150: 0x0000000000000000  0x0000000000000000
0x555555758160: 0x0000000000000000  0x0000000000000021
0x555555758170: 0x0000000000000000  0x0000000000000000
0x555555758180: 0x0000000000000000  0x0000000000020e81
0x555555758190: 0x0000000000000000  0x0000000000000000
0x5555557581a0: 0x0000000000000000  0x0000000000000000

​ free了chunk1之后,chunk2的p位已经变成0了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x91
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758090
Size: 0x20

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/54gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000091			<======Chunk3
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000
0x555555758140: 0x0000000000000000  0x0000000000000000
0x555555758150: 0x0000000000000000  0x0000000000000000
0x555555758160: 0x0000000000000000  0x0000000000000021			<======Chunk4
0x555555758170: 0x0000000000000000  0x0000000000000000
0x555555758180: 0x0000000000000000  0x0000000000020e81			<======Top Chunk
0x555555758190: 0x0000000000000000  0x0000000000000000
0x5555557581a0: 0x0000000000000000  0x0000000000000000

​ 之后修改了chunk3的pre_inuse,也就是size的最低为P位为0,然后修改pre_size位为0xd8,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x91
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758090
Size: 0x20

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Allocated chunk
Addr: 0x5555557580d0
Size: 0x90

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/54gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x00000000000000d0  0x0000000000000090			<======Chunk3
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000
0x555555758140: 0x0000000000000000  0x0000000000000000
0x555555758150: 0x0000000000000000  0x0000000000000000
0x555555758160: 0x0000000000000000  0x0000000000000021			<======Chunk4
0x555555758170: 0x0000000000000000  0x0000000000000000
0x555555758180: 0x0000000000000000  0x0000000000020e81			<======Top Chunk
0x555555758190: 0x0000000000000000  0x0000000000000000
0x5555557581a0: 0x0000000000000000  0x0000000000000000

​ 可以看出来,chunk3的pre_size域的大小刚好能够包含到完chunk1和chunk2。之后free掉了chunk3:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x161
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758160
Size: 0x20

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty

会发现,前面的三个chunk都被合并成了一个,这里主要是因为unlink的原因,导致了chunk3和前面的两个(主要是pre_size指定的大小范围内的)chunk发生了合并。之后再进行malloc,会分配走新的那个chunk1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x161

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty